Corporate compliance success requires strict governance rules

Corporate compliance initiatives have grown tremendously over the past quarter century as federal regulators and Congress have enacted more than 114,000 business governance rules and regulations. Of course, no company has to comply with all of those regulations, but many certainly are applicable. And when global regulations are taken into consideration for companies with an international presence, the onus of corporate compliance can be heavy indeed.

The Sarbanes-Oxley Act of 2002 (SOX) brought the issue of corporate compliance to the forefront as affected companies dashed to complete the initial documents to demonstrate compliance. Then, while employees were breathing a collective sign of relief, the realization hit home that the process would have to be repeated again and again to remain in compliance.

Keys to staying in compliance include creating comprehensive policies around corporate governance, devising systems to share data across compliance documents to avoid duplication of work, establishing clear lines of responsibility so each person knows what data to gather and when, and making those processes part of a company's culture. But many of those policy and procedure changes are easier said than done, so many companies remain in the reactive mode, struggling to stay in compliance.

Richard Diamond, CIO at FormFactor Inc., has been slowly realigning the public company from a reactive mode in regard to corporate compliance to a more proactive one. The Livermore, Calif.-based maker of advanced wafer probe cards used by semiconductor manufacturers has endured numerous Sarbanes-Oxley audits, which Diamond said is a time-consuming and expensive process.

"Very often, there is a raising of the bar by auditors the next year, so [compliance] often is a moving target," said Diamond, who joined FormFactor earlier this year after a stint with Management Agility Inc. One of that company's practice areas is compliance management, so Diamond has

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information technology laws Avoiding gotchas of security tools and global data privacy laws Information security and IT governance guides for CIOs E-discovery and litigation guide for CIOs Document retention and disposal strategy Top 10 reasons to give thanks you're in IT PCI compliance deadlines have retailers scrambling Customized e-discovery tool lightens law firm's litigation load Firms bridging the gap between IT and the law Avoid lawsuit nightmares: New rules of engagement for e-discovery Regulatory compliance management guide for CIOs Compliance strategies and best practices Enterprise risk management solutions for CIOs Addressing compliance requirements in cloud computing contracts Avoiding gotchas of security tools and global data privacy laws Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Economic downturn hits IT budgets Tips on how to dodge the scariest of IT worst-case scenarios Health care CIO tackles complex security, privacy mandates PCI DSS compliance requirement looms but lacks punch, critics charge IT/Business Strategies Key to customer service satisfaction: Simplify complexity The range of ITIL training tools and techniques and how they add value How to organize and train your staff for BPM project success SOA governance: How and why to build it into your SOA initiative Tips for integrating server virtualization in a private cloud CIO turns to identity and access management to solve business problem Cost reduction tips for your strategic sourcing contracts Using SaaS CRM for application integration gives users single sign-on Seven tips to improving enterprise data protection Tips for enhancing IT's role in improving the current economy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

traveled this road before. "If you stay in a reactive mode, you are always on the treadmill and will remain there indefinitely," he said.

During his short tenure, FormFactor has worked with an outside consultant to help it define and publish IT policies and currently is identifying those critical processes that will be addressed first. "Once that's complete, we will have turned a corner," Diamond said. "We expect our procedures and controls will support SOX compliance without spending significant dollars ahead of time" on audit preparation partners that have been used to help FormFactor get ready for an audit.

FormFactor is working with VariTrak Systems Inc., a Los Angeles-based software company that helps manage operational risk as it relates to corporate compliance. VariTrak CEO Dean Lane compares his company's product to the warning lights on vehicles that point out problems or maintenance concerns.

"There are 100 things that fall into the corporate compliance arena, not only SOX but ISO, FDA, HIPAA and internal policies and procedures," Lane said. After bringing databases and spreadsheets to a common platform, the system sends reminders to the appropriate employees about when compliance tasks need to be accomplished, escalating those alerts should the work remain undone. A dashboard feature of the subscription service allows board members and C-level execs to monitor corporate compliance. "Everyone wants to do a good job … and they're happy to get a tool to take care of compliance," Lane said.

While a software solution can take care of the nuts-and-bolts issues surrounding corporate compliance, "Software without the right organizational structure will do nothing," cautioned Michael Rasmussen, vice president for risk and compliance research at Forrester Research Inc. in Cambridge, Mass.

Companies serious about corporate compliance issues are naming chief compliance officers and devoting the necessary funds to address not only external requirements and laws but also internal compliance around corporate governance, IT, sales and product manufacturing. "The ones that are paying attention to this issue are the ones that have had problems in the past," Rasmussen said.

Adrian Bowles, program director for regulatory compliance at Object Management Group Inc. in Needham, Mass., recommends that companies use corporate compliance tools based on the Control Objectives for Information and related Technology (COBIT). The IT governance framework and supporting tool set allow managers to bridge the gap between control requirements, technical issues and business risks. "If a company uses COBIT controls, it can trace back to see what the company is compliant with," Bowles said.

As regulatory demands on business continue to escalate, compliance isn't going away. The key, experts say, is to stay ahead of the regulations whenever possible.

"You'll never solve the compliance problem as long as you're reactive," Diamond said. "Good IT governance and control is the proactive solution to SOX compliance."

Matt Bolch is a freelance writer based out of Atlanta.

Rate this Tip To rate tips, you must be a member of SearchCIO.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.